hello i m trying to use the cerbos pdp in a sidecar alongsid Cerbos Community #help

hello, i'm trying to use the cerbos pdp in a sidec...

Vish

05/10/2024, 4:58 AM

hello, i'm trying to use the cerbos pdp in a sidecar alongside my application container in a k8s pod. The issue i'm running into is that the

cerbos.sock

file that cerbos pdp is listening to in my shared volume is owned by

root

, but my application is running under the

node

user and group and is getting a

EACCES

error when trying to access the

cerbos.sock

file, how can i go about resolving this? I have verified by executing a shell as root user and manually changing the file ownership with `chown`in my application container to the

node

user and group resolves the error. Thanks

oguzhan

05/10/2024, 7:39 AM

Hi @Vish, There is a configuration parameter

udsFileMode

available in the Cerbos configuration:

Copy code

server:
  udsFileMode: 0o766 # UDSFileMode sets the file mode of the unix domain sockets created by the server.

Vish

05/10/2024, 7:42 AM

Thanks for your reply @oguzhan. I did come across that configuration parameter. This only controls the file permissions as far as I understand, equivalent to a

chmod

, I guess i'd need the equivalent of a

chown

instead

Charith (Cerbos)

05/10/2024, 8:14 AM

Hey, since the two containers are running as different users, making the socket world-accessible by setting

udsFileMode

would work. Alternatively, you can use an init container to create the socket file in advance with the permissions you need. Cerbos only creates the socket file if it doesn't already exist.

Charith (Cerbos)

05/10/2024, 8:20 AM

You can also make Cerbos listen on 127.0.0.1 so that only your app can make requests to it.

Vish

05/10/2024, 9:06 AM

Thanks @Charith (Cerbos), will give that a go

2 Views

Open in Slack

Previous Next